WEIS 2016 - Trip
I've been been pretty quiet here on the vo, for the past 2 weeks, Well; I in all my travels I managed to find a bug and it took me out for a week. So, This Monday I'm at WEIS; Workshop of Economics of Information Security At Berkeley University.
The first speaker is Hal Varian, Chief Economist of Google.
The lunch talk was interesting. It was a war story. Apparently people scam people who are authors and keynotes at conferences. They call up saying they are working with the conference and rooms are filling up and they can help out. (or if already a reservation; they can provide them cheaper). In this case; they took 25% deposit and then rest 1 month before. Turns out they just take the money and don't book the rooms. Yes; its fraud. but law enforcement and credit card companies haven't done much yet. So advice is that conference organizes alert authors and keynotes that these scam are real and not to give them your information. Though not new; called room poaching.
The first talk after lunch was about bitcoin. Mt. Gox was the largest bitcoin exchange. They looked at how DDoS attacks and other attacks impacted the bitcoin ecosystem. When Mt. Gox collapsed, there was a data leak making interesting research. While they couldn't test the validity of the data they did tests to see if it was consistent. Found that the big traders don't make big trades right after a DDoS.
The 2nd talk was on bitcoin storage to reduce impact of theft events. Looking at how to manage online/offiline storage. Increasing Offline doesn't mean more security.
The third was was about credit card fraud. Particularly with third party payment network.They proposed a way to decrease fraud.
The fourth paper was on markets for anonymity. Which is not being able to be identified within a set. They are studying a market; bitcoin. Found most used 2 people sets.
The Last session of the day and its on user attitudes and perceptions.
The first paper in this session on risk assessment. This is study is on experts preferences to risk mitigation. The finding were based on a survey where they had professionals take survey and they had to play lotteries to see if they gained or lost money based on probabilities. The results are in the paper and too numerous for me to type. But generally they are risk adverse. They also favor risk modification rather risk elimination and reducing loses rather than probabilities.
The 2nd paper was on consumer perception of data breaches. Using RAND's American Life Panel. Finding that consumers and huge percentage of Americans have gotten a data breach notice. 26% in past year. of those over half had more than 1 notification in past year. Then lots of other information about it.
The third paper is from UCL and Angela Sasse is a co-author. They analyzed 30 bank Terms and Conditions for security instructions and advice. Then studied between DE UK and US and understanding of them. They found the security advice given varies widely and sometimes they even contradict. So customers don't read the T&C and assume the worse. the US people are surprised by consumer protections.
The last speaker of the day is on cybercrime; estimating its cost. The costs are the victims costs; indirect losses and protection expenses. The found the main driver of consumer cybercrime is time. protection expenses exceed the direct losses.
On to Day 2, Tuesday. It's starts with a panel on the value and balance between encryption and surveillance. The FBI general council was to be here for it but the weekend activities are preventing him from attending. The panel brought up issues and area for research. Because there is a need for quantitative research in the issue to be able to have a more in depth and an informed discusses rather than rhetoric.
At the Break, I took the time to go up the tower and got a good view of the entire bay area. It's really clear today.
After the break; the first research paper was about the FTC history and relevancy to consumer protection. The 2nd paper is about breaches and. They found that companies experience a data breach have a small but noticeable .27% decrease in stock value following the news breaking. The media has extra positive news on that day. 15 times larger than normal. .46% vs .03%. Disclosures have significant negative effect on stocks.
The third paper, is on ad-blocking and privacy preferences. There is an adblock war between users and the publishers. The proposal and prototype is an ad blocker that blocks based on content that user determines.
]After lunch,
first talk about the malware marketplace. As programs get more secure; it attacks more attackers to break it. 2nd paper on estimating malware across countries; using Microsoft malicious software removal tool. and other regressions. Middle east, Africa and South America are the highest percentage of unprotected computers with malware.
The third paper was given from the Federal Reserve. They studied alerts on the credit reports. He mention validity of the study, a sign of good science.
Then the final session of the day and workshop. the paper was about bugs and bug bounty programs. The found people like to go to new programs and especially if they have higher rewards. The 2nd paper was about electricity transmission in Columbia. the transmission company hires contracts to repair the lines. The contracts could get extra money by hiring guerillas to cause attacks. so they model it and ideas on how to change the incentive program. The third and final paper is about patching. Vendors charging for the option not to patch.
The first paper presentation on the asymmetric conflict on web security. It costs more to defend than attack.The problem with previous research / game theory is that the defend a known set. They use Colonel Blotto Web Security to model the asysmetric nature. Provides insights to defender strategies. This game was unsolved for almost a hundred years and the problem is that the attacker can increase the number of battlefields so that the defenders resources get stretched. Just like malicious websites. Even with perfect detection (100%) attackers will still create malicious websites because there is a probability that the defender is not there to defend that spot so its still worthwhile.
The second paper was on how organization put their cybersecurity dollars. How do they manage risk. They interviewed 40 CISOs and other executives from large organization to better understand how decisions are made in real world. Semi-structured interview. They found upper level management is supportive of cybersecurity. It's up in private; government have budget constraints. About 50% thought about their own organization was spending the right amount; but few thought their peers were. The peers are spending too little or too much in the wrong area. Very few talked about reducing expected loss from an attack even as justification for doing cybersecurity investment. ROI not used. The metrics used were output metrics rather than outcome. The rise of frameworks; emphasize the process of managing cybersecurity without explicit regard to loss; likelihood of attack. Frameworks are a powerful communications tool but they might be the new checkbox. (worry about the framework being more scientific. The scientific rigor behind them can be not great. But they don't feel its a lemon market. But special challenges in government.The budgeting processes. Getting out of the 3 year procurement even to mitigate a threat. There are also organizational level issues; department level and too many people to get buy in. and an issue with FISMA; too much time for doing anything. Thus gov not doing adequate.
The third presentation is about infosec investments failures. Current security environment; treating symptoms. prevention and detection; third party additions; failure to address sources of vulnerabilities. Alternative build security in. Good secure development in software engineering. But the problems with those "good things to do" in software development; but how much do you do? How much to invest and when? They presented an initial model and found that multiple things; one note worthy thing was that optimal investment in wasn't more.
The final presentation of the morning. Under investment in data security from the perspective of consumer protection. Mandatory breach notification may not always increase security investment. They modeled it. for example if a website that has a breach they loose consumers. So they have a calculation to make in that lost of profit from those consumers who leave vs how much to secure. Generally assumption is increased investment at equilibrium; but (sorry heather *here's a virtual quarter) consumers are passive. They looked to see what happens if consumers work to reduce their loses in a data breach. The also added in the bank. If the bank investments so much in fraud detection; the consumers don't care about the reputation of the website so they no longer drive the equilibrium into more website cybersecurity investment.